[claude] claude.md additions ## Reason Explain *why* this change is being made#507
Open
github-actions[bot] wants to merge 10 commits intomainfrom
Open
[claude] claude.md additions
## Reason
Explain *why* this change is being made#507github-actions[bot] wants to merge 10 commits intomainfrom
github-actions[bot] wants to merge 10 commits intomainfrom
Conversation
## Reason Explain *why* this change is being made. ## Overview For large or complex changes, describe what is being changed. ## Test Plan Explain how you tested the change. GitOrigin-RevId: 9644a9351168d7cb15db875c489a13f8488354c7
Contributor
Author
|
The following public packages have changed files:
There are no existing changesets for this branch. If the changes in this PR should result in new published versions for the packages above please add a changeset. Any packages that depend on the planned releases will be updated and released automatically in a separate PR. Each changeset corresponds to an update in the CHANGELOG for the packages listed in the changeset. Therefore, you should add a changeset for each noteable package change that this PR contains. For example, if a PR adds two features - one feature for packages A and B and one feature for package C - you should add two changesets. One changeset for packages A and B and one changeset for package C, with a description of each feature. The feature description will end up being the CHANGELOG entry for the packages in the changeset. No releases planned. Last updated by commit 10f360c |
GitOrigin-RevId: 25e8a0d853f994f63c8cbb7fe95eb73e74749c4f
Updating the UI to a 2-step dialog that Pat designed. See screenshots:   --------- Co-authored-by: Claude <noreply@anthropic.com> GitOrigin-RevId: a7ad068a39452f6b45002dfeab88f7b70426b56a
…885) `getNonce` now returns a bigint to preserve the full 64 bits of randomness in the nonce. The nonce used for request signing is generated from two random 32-bit integers combined into a single 64-bit value. Previously this was returned as a JavaScript number, which only has 53 bits of integer precision (`Number.MAX_SAFE_INTEGER` is `2^53 - 1`). Any nonce above that threshold (so 99.95% of them) would be silently rounded to the nearest representable float, reducing the effective entropy of the nonce and increasing the probability of collisions across requests. This change switches `getNonce` to return a `bigint`, preserving all 64 bits. The nonce is serialized as a string in the JSON request payload to avoid precision loss on the wire as well. GitOrigin-RevId: 138c1967aebcf55e0e7467ea86c6ae6ca4743e5d
## Reason
The Grid Dashboard (uma-nage) currently needs GraphQL queries/mutations
for every Grid API endpoint it wants to call. This creates maintenance
overhead and duplicates API definitions. By adding a REST proxy, the
dashboard can call Grid API endpoints directly using the session user's
authentication, eliminating the need for separate GraphQL wrappers.
## Overview
This change introduces a dashboard proxy that allows the uma-nage
frontend to call Grid API endpoints directly via REST:
**Backend (`sparkcore/sparkcore/grid/dashboard_proxy.py`)**
- New blueprint at `/grid-dashboard-api/<path>` that proxies requests to
Grid API handlers
- Validates the session user has a Nage role (administrator, developer,
compliance, or support)
- Blocks impersonation sessions
- Resolves the target platform from the `X-Grid-Platform-Id` header with
soft-delete check
- Verifies the user belongs to the same account as the platform
- Write operations (POST/PUT/PATCH/DELETE) restricted to admin/developer
roles
- Auth failure logging on all rejection paths
- Error messages sanitized to avoid leaking internal paths
- Module-level assertion on `bp_rc.url_prefix` instead of fragile
fallback
- Dispatches to the matching `/grid/rc/<path>` handler via
`create_url_adapter` (respects host_matching)
**Security hardening**
- `g.grid_proxy_verified_platform` attribute name is specific to avoid
accidental collision
- `GkPlatformConstraint.gen_evaluate` now checks
`g.grid_proxy_verified_platform` so platform-scoped gatekeeper rules
work for proxy requests
- `UserRole(r)` parsing skips unknown role strings to prevent crash on
roles added before code deploy
- `platform_context.py` uses `getattr` guard with descriptive
`RuntimeError` instead of bare `AttributeError`
- CSRF defense documented (SameSite=Strict session cookies)
- Comments document dispatch hook bypass and gatekeeper constraint
behavior
**Frontend (`js/apps/private/site/src/uma-nage/gridApiClient.ts`)**
- `gridApiFetch()` function for calling Grid API endpoints via the proxy
- TypeScript types for Grid API responses (`GridExternalAccount`,
`GridListResponse`, `GridError`)
- Convenience helpers for specific endpoints (`getPlatformConfig`,
`listCustomerExternalAccounts`, `listPlatformExternalAccounts`)
- Handles LSID-to-UUID conversion for platform IDs
**Frontend Hook
(`js/apps/private/site/src/uma-nage/hooks/useGridApi.ts`)**
- React hook `useGridApiQuery<T>()` for querying Grid API endpoints
- Provides loading/error state management similar to Apollo's `useQuery`
pattern
- `refetch` parameter type tightened to prevent silent `[object Object]`
serialization
**Tests (`test_dashboard_proxy.py` — 11 tests)**
- No session → 401
- Impersonation session → 403
- Non-Nage role → 403
- Read-only role + POST → 403
- Missing `X-Grid-Platform-Id` header → 400
- Invalid UUID in header → 400
- Nonexistent platform → 404
- Soft-deleted platform → 404
- Wrong account → 403
- Happy path GET `/config` → 200
- Guard: `bp_rc` has no before_request/after_request hooks
**Bug fix (`sparkcore/sparkcore/grid/utils/account.py`)**
- `gen_customer_owned_external_accounts_query` now uses
`get_grid_platform_id()` instead of
`vc.getx_umaaas_client().platform_id`, fixing a crash when called via
the dashboard proxy
## Test Plan
- [x] `ruff check` and `ruff format --check` pass on `sparkcore/grid/`
- [x] `getx_umaaas_client` grep shows only guarded uses in
`platform_context.py`, `grid_api.py`, `delete_api_token.py`
- [x] `pytest test_dashboard_proxy.py` — 11/11 pass
- [x] `yarn build` passes
- [x] `yarn lint` passes
## Architecture
```mermaid
sequenceDiagram
participant B as Browser (uma-nage)
participant P as Dashboard Proxy<br>/grid-dashboard-api
participant H as Grid API Handler<br>/grid/rc/*
B->>P: REST request + session cookie<br>+ X-Grid-Platform-Id header
rect rgb(255, 245, 238)
Note over P: Validation chain
P->>P: 1. Session auth (401)
P->>P: 2. Block impersonation (403)
P->>P: 3. Nage role check (403)
P->>P: 4. Write-role gate for non-GET (403)
P->>P: 5. Resolve platform from header (400/404)
P->>P: 6. Account match (403)
end
Note over P: Store platform on g.grid_proxy_verified_platform
P->>H: Dispatch via URL adapter match
rect rgb(240, 248, 255)
Note over H: @grid_api decorator
H->>H: Gatekeeper check
H->>H: Rate limiting
end
H-->>P: JSON response
P-->>B: JSON response
```
---------
Co-authored-by: Claude <noreply@anthropic.com>
GitOrigin-RevId: 815efdd7c07618b123869a7b61fe1ed84c7d4f50
…(#25061) Add 7 new currencies to FiatCurrencyUnit, CurrencyUnit, and JS currency.ts: BDT (Bangladeshi Taka), COP (Colombian Peso), EGP (Egyptian Pound), GHS (Ghanaian Cedi), HTG (Haitian Gourde), JMD (Jamaican Dollar), PKR (Pakistani Rupee) Fix ThunesGridReceiverVasp to use correct CurrencyPreference constructor (currency=Currency(...), min_sendable, max_sendable) and extract to THUNES_CURRENCY_PREFERENCES constant. Includes GraphQL schema regeneration and JS codegen output. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> GitOrigin-RevId: e9d1e12dbb8d47bec8c2b05b5575df4fa4ba1bba
## Summary - Migrates the [Origin Design System](https://github.com/lightsparkdev/origin) into the webdev monorepo as `js/packages/origin` - Adapts ESLint, TypeScript, and package scripts to monorepo conventions while preserving Origin's source-shipping build process - Fixes pre-existing bugs: Drawer API rename (`DrawerPreview` → `Drawer`), redundant type union, `querySelector` generic, Node 20 compatibility ## Details **Monorepo adaptations:** - ESLint → `@lightsparkdev/eslint-config/react-lib` with origin-specific rule relaxations for pre-existing type-safety warnings - TypeScript → extends `@lightsparkdev/tsconfig/base.json` with `bundler` moduleResolution (origin ships source TS, consumers use `transpilePackages`) - Scripts → standard monorepo names: `types`, `format`, `lint:fix`, `build:watch`, `package:checks`, etc. - Build → `yarn build:styles` (sass compilation only), preserving origin's source-shipping approach - Root `dependenciesMeta` → skips Central Icons build scripts (require `CENTRAL_LICENSE_KEY`; icons are already vendored) **Node 20 compatibility:** - Downgraded vitest `^4.0.17` → `^3.1.4` (v4 uses rolldown which requires Node >= 22) - Downgraded jsdom `^27.4.0` → `^25.0.1` (v27 has ESM compat issues with Node 20) **Local validation results:** - `types`: pass - `build`: pass - `format`: pass - `lint`: 0 errors, 28 warnings (pre-existing, demoted from errors) - `test`: 409/411 pass (2 analytics integration tests fail due to React 19 jsdom event dispatch) ## Test plan - [x] `yarn workspace @lightsparkdev/origin types` — passes - [x] `yarn workspace @lightsparkdev/origin build` — passes (sass compilation) - [x] `yarn workspace @lightsparkdev/origin lint` — 0 errors - [x] `yarn workspace @lightsparkdev/origin format` — passes - [x] `yarn workspace @lightsparkdev/origin test` — 409/411 pass - [ ] CI checks pass 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> GitOrigin-RevId: 3123c9ccf6af5c32f0fe361f0f8b11e4dedb2f50
## Summary - remove the temporary `origin` ESLint downgrade for unsafe assignment/argument/call and base-to-string - introduce shared chart datum types plus safe chart label formatting instead of raw `Record<string, unknown>` and `String(...)` - tighten Base UI state attribute serialization and fix `new Array(...)` typing in chart utilities ## Verification - `yarn workspace @lightsparkdev/origin format` - `yarn workspace @lightsparkdev/origin lint` - `yarn workspace @lightsparkdev/origin types` - `yarn workspace @lightsparkdev/origin test` ## Notes - `origin` lint still reports two pre-existing warnings in `DatePicker/parts.tsx` and `Sidebar/parts.tsx`. - `origin` tests pass with existing jsdom stderr around canvas/sidebar error-path coverage. GitOrigin-RevId: b919c5e20c8f2ad9c9fa95a026fccdfadf7ac75b
## Reason VND is not a centCurriences, so including it as such causes some rendering issues throughout ops / uma.money  GitOrigin-RevId: bedef81c7f4d019aeb20fa9f4ed4d0dbf3c7f639
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If this change should result in new package versions please add a changeset before merging. You can do so by clicking the link provided by changeset bot below.